× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. RPG400-L
  3. October 2013

Re: Authority on Java calls

Justin

Seems to me you could have a profile with GID that has access only to the resources for the application. Hope I'm right on that.

That would be similar to group profiles, seems to me, that can be limited as to authority to a small set of resources.

Good luck - glad things are moving forward - your work is helping us all as to IFS authority.

Vern

On 10/10/2013 8:47 AM, Justin Taylor wrote:
I'd rather not just give the users the group since that would give them easy access to the IFS resources outside the application.

I guess it's pick-your-poison. If swapping, the application profile would need either *ALLOBJ or explicit authority to every profile that would be running the app. That would be a dangerous profile if it was ever compromised. On the other hand, the GID method requires that every app user have authority to that profile. That means any of them could (potentially) utilize that profile outside the specific app.


For now, I'm going to just go with the GID solution and see how well that flies.

Thank you all so much!


For posterity:
The qsysetegid RPGLE sample I found here: http://forums.iprodeveloper.com/forums/aft/45642
The errno RGPLE sample I found here: http://www.scottklement.com/rpg/socktut/errorhandling.html



-----Original Message-----
From: Scott Klement [mailto:rpg400-l@xxxxxxxxxxxxxxxx]
Sent: Wednesday, October 09, 2013 3:09 PM
To: RPG programming on the IBM i (AS/400 and iSeries)
Subject: Re: Authority on Java calls

Can you assign the group profile as a "supplemental group" of the user profile? Or is that giving the user too much access?

If you want to use adopted authority, you'll probably have to do a profile swap. The 'profile handle' APIs will respect adopted authority, allowing you to swap to a profile that you might not have had authority to without adopting.

But, if you do profile swapping, you need to be very careful that your application can not exit without swapping back (else the user can keep the elevated authority) and also that someone cannot simply open your program in STRDBG and change variables so that they can keep the elevated authority... etc, etc.

-SK




As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.